The appearance of new extortion code spread quickly
'Bad Rabbit' is a new extortion code that is spreading rapidly in Russia and Western Europe.
According to security firm Group-IB, ransomware called Bad Rabbit attacked three Russian broadcasters, including Interfax. Once on the computer, Bad Rabbit displays the message with a red character on the black background, quite similar to ransomware NotPetya . Hackers ask victims to log into the Tor website to pay 0.05 Bitcoin (equivalent to 282 USD at the time of writing). The website also displays a countdown timer before this amount increases.
It is unclear who is behind the attack, who the victim is, how it spreads or where it came from. On Twitter, Interfax said that due to network attacks, their servers are collapsing. Odessa Airport in Ukraine is also affected by the October 24 attack but it is unclear if it is Bad Rabbit.
Bad Rabbit bad code.
Ukraine CERT-UA Computer Emergency Response Agency posted a warning on October 24 about a new wave of cyber attacks that did not mention Bad Rabbit. Group-IB spokesperson said Bad Rabbit aimed at Russian broadcasters like Interfax and Fontanka as well as those in Ukraine such as Odessa airport, Kiev metro station, Ukraine Ministry of Energy.
Kaspersky Lab provides the majority of Bad Rabbit infections in Russia, besides some in Ukraine, Turkey and Germany. Security companies call Bad Rabbit a 'targeted attack on the corporate network, using a method similar to the one used in the ExPetr attack (NotPetya)'. However, Kaspersky could not confirm whether it was related to NotPetya.
ESET, another network security company in the Czech Republic, confirmed having a ransomware campaign. On the blog, the company wrote at least the case of Kiev station, the malicious code is 'new variant of ransomware Petya'. ESET has identified hundreds of infections.
A researcher from Proofpoint said that Bad Rabbit was distributed through a fake Adobe Flash Player installation tool. Kaspersky Lab experts also confirmed and added that the dropper malware - a file that emits malicious code - is distributed through legitimate sites but is trapped, all of which are news or media.
The fake Adobe Flash Player is not the only way. According to ESET, ransomware also tries to infect computers on the same local network via Windows' SMB data sharing protocol and then uses the Mimikatz tool .
According to VirusTotal's malicious library, very few security companies initially identified Bad Rabbit as malicious. A McAfee researcher said Bad Rabbit encrypted many different file types, including .doc, .docx, .jpg and other popular file types. Some experts say Bad Rabbit contains a number of references to the Games of Thrones series, namely the names of 3 Drogon, Rhaegal, Viserion dragons. Hackers also mentioned Hackers (1995) in their code.
As usual, any victim does not encourage paying a ransom. There is no guarantee you will get back the data but more importantly, refuse to reduce the motivation of future ransom malicious attacks.
- Video: WannaCry's terrifying spread rate
- Not only blackmail, WannaCry malicious code can be deadly
- Overview of Wannacry virus - The world's most dangerous malicious code
- Information Security Department instructs how to handle emergency WannaCry extortion codes
- Ursnif Trojan is back and more malicious
- Hackers use the Olympics to spread malicious code
- The US website contains 63% of the malicious code
- Online video is used to spread malicious code
- Little interesting things about QR codes
- The software enabled Vista to spread widely on the network
- The first virus spread on iPhone
- Hackers kidnap Windows Update to spread malicious code